New research reveals that Google’s Messages and Calls applications have been collecting and sharing user data to its servers without providing users with notice or obtaining their agreement, possibly in violation of the European Union’s General Data Protection Regulation (GDPR).
Douglas Leith, a computer science professor at Trinity College Dublin, states in his article titled, “What Data Do the Google Dialer and Messages Apps on Android Send to Google?” that the Google Dialer and Messages Apps on Android send data to Google.
It has been discovered that Google’s Messages and Dialer applications have been transferring data to the company’s servers without receiving explicit user approval.
The specific information collected by these applications includes an SHA-256 hash of the messages and their timestamp, phone numbers, incoming and outgoing call records, as well as the length of time spent on each phone conversation.
After that, the information is exchanged with the company’s servers via the use of the Google Play Services Clear-cut logger service and the Google Play Services Firebase Analytics service. The information assists the firm in establishing a connection between the message sender and the receiver, or between the two devices participating in a call.
Despite the fact that just a 128-bit value of the message hash is communicated with Google’s server, Leith thinks that for short messages, it is feasible to reverse the hash in order to discover the content of the message. However, for the time being, this is only an assumption, and there is no real proof of concept available.
Another finding of the study report is not that, in their own privacy policies, Google applications nor does Google Play not explicitly address the acquisition of data via third-party apps.
In reality, when one uses Google Takeout to export the data linked with their account, the information is not even made accessible for download. Despite the fact that the Google Play Services warn users that certain information is being gathered for the sake of security and fraud prevention, there is no explanation as to why this information is being collected.